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JTRIG tools and techniques 

(Pedirected from JTRIG CITD - Covert Internet Technical Development ) 
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We dont update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at [[1]£] 
[edit] Understanding this page 

Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use, 
but we also dont want to oversell our capability. 

For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are 
working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make 
external commitments before speaking to us you will probably end up looking stupid. 

Most of our tools are fully operational, tested and reliable. We will indicate when this is the case; however there can be reasons why our tools wont work 
for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions. 

So please come and speak to JTRIG operational staff early in your operational planning process, 
[edit] Current Priorities 

Capability Development Priorities can be fond by following the link below 

■ CapDev Priorities (Discover)^ 



[edit] Engineering 



Tool/System 


Description 


Status 


Contacts 


Cerberus 
Statistics 
Collection 


Collects on-going usage information about how many users utilise 






JTRIG's UIA capability, what sites are the most frequently visited etc. 
This is in order to provide JTRIG infrastucture and ITServices 


OPERATIONAL 


JTRIG Software Developers (3 


management information statistics. 






JTRIG 








RADIANT 


is a 'Data Diode' connecting the CERBERUS network with GCNET 


OPERATIONAL 


JTRIG Software Developers 13 


SPLENDOUR 








ALLIUM ARCH 


JTRIG UIA via the Tor network. 


OPERATIONAL 


JTRIG Infrastructure Team (13 


ASTRAL 
PROJECTION 


Remote GSM secure covert internet proxy using TOR hidden services. 


OPERATIONAL 


JTRIG Infrastructure Team 13 


TWILIGHT 
ARROW 


Remote GSM secure covert internet proxy using VPN services. 
JTRIG's new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ 


OPERATIONAL 


JTRIG Infrastructure Team 13 


QPIPF IQI AND 


PI IQinM anrl nth or "ITPIf^ c\/ctomc \a/MI fnrm nart nf tho ^PITP 1^1 AMD 
rUOIUIJ ctllU UUlcl J 1 r\IO byblclllo Will IUUI1 [JdlL Ul Ulc Or IV_P IOLMHU 

infrastructure 


np\/ 

UlV 


J 1 r\IO IMIIdbUULlUI c Icdfll — l 


POISON 
ARROW 


Safe Malware download capability. 

CERBERUS UIA Replacement and new tools infrastructure - Primary 


DESIGN 


JTRIG Infrastructure Team 91 


FRUIT BOWL 


Domain for Generic User/Tools Access and TOR split into 3 sub- 
systems. 


DESIGN 


JTRIG Infrastructure Team 13 


NUT ALLERGY 


JTRIG Tor web browser - Sandbox IE replacement and FRUIT BOWL 
sub-system 


PILOT 


JTRIG Infrastructure Team (13 


BERRY 
TWISTER 


A sub-system of FRUIT BOWL 


PILOT 


JTRIG Infrastructure Team 13 


BERRY 
TWISTER+ 


A sub-system of FRUIT BOWL 


PILOT 


JTRIG Infrastructure Teamum 


BRANDY SNAP 


JTRIG UIA contingency at Scarborough. 


IMPLEMENTATION 


JTRIG Infrastructure Team 13 


WIND FARM 


R&D off site facility. 


DESIGN 


JTRIG Infrastructure Team 13 


CERBERUS 


JTRIG's legacy UIA desktop, soon to be replaced with FOREST 
WARRIOR. 


OPERATIONAL 


JTRIG Infrastructure Team M 


BOMBAYROLL 


JTRIG's legacy UIA standalone capability. 


OPERATIONAL 


JTRIG Infrastructure Team [13 


JAZZ FUSION 


BOMBAY ROLL Replacement which will also incorporate new collectors 
- Primary Domain for Dedicated Connections split into 3 sub-systems. 


IMPLEMENTATION 


JTRIG Infrastructure Team 13 


COUNTRY FILE 


A sub-system of JAZZ FUSION 


OPERATIONAL 


JTRIG Infrastructure Team 13 


TECHNO 
VIKING 


A sub-system of JAZZ FUSION 


DEoIGN 


JTRIG Infrastructure Team 13 


JAZZ FUSION+ 


A sub-system of JAZZ FUSION 


DESIGN 


JTRIG Infrastructure Team 13 


BUMBLEBEE 
DANCE 


JTRIG Operational VM/TOR architecture 


OPERATIONAL 


JTRIG Infrastructure Team 13 


AIR BAG 


JTRIG Laptop capability for field operations. 


OPERATIONAL 


JTRIG Infrastructure Team 13 


EXPOW 


GCHQ's UIA capability provided by JTRIG. 


OPERATIONAL 


JTRIG Infrastructure Team 13 


AXLE GREASE 


The covert banking link for CPG 


OPERATIONAL 


JTRIG Infrastructure Team 13 


POD RACE 


JTRIG'S MS update farm 


DESIGN 


JTRIG Infrastructure Team 13 


WATCHTOWER GCNET -> CERBERUS Export Gateway Interface System 


OPERATIONAL 


JTRIG Software Developers 13 


REAPER 


CERBERUS -> GCNET Import Gateway Interface System 


OPERATIONAL 


JTRIG Software Developers 13 


DIALd 


External Internet Redial and Monitor Daemon 


OPERATIONAL 


JTRIG Software Developers 13 


FOREST 
WARRIOR 


Desktop replacement for CERBERUS 


DESIGN 


JTRIG Infrastructure Team 13 


DOG HANDLER JTRIG's development network 


DESIGN 


JTRIG Infrastructure Team 13 








JTRIG Infrastructure Team 13 



DIRTY DEVIL JTRIG'S research network 



DESIGN 



[edit] Collection 



Tool 


Description 


Contacts 


Status 


AIRWOLF 


YouTube profile, comment and video collection. 


| Beta release. 


ANCESTRY 


Tool for discovering the creation date of yahoo selectors. 


JTRIG Software 
Developers 91 


Fully 

Operational. 


BEARTRAP 


Bulk retrieval of public BEBO profiles from member or group ID. 


JTRIG Software 
Developers 3 


Fully 

Operational. 


BIRDSONG 


Automated posting of Twitter updates. 


JTRIG Software 
Developers (O 


Replaced by 
SYLVESTER. 


BIRDSTRIKE 


Twitter monitoring and profile collection. Click here for the User Guide. 


"iTpiri Qnftwarp 
J 1 r\IU OUIlWcUc 

Developers ^fl 


r uny 

Operational 


BUGSY 


Google+ collection (circles, profiles etc.) 


Te c h Leads ^| 


In early 




development. 


DANCING 


obtains the locations of WiFi access points. 


[Tech Lead: 

lb | H' 


Fully 


BEAR 




Operational. 














[Tech | 




DEVILS 


ECI Data Technique. 1 


1 Expert 


Fully 


HANDSHAKE 




User: I 


Operational. 










DRAGON'S 
SNOUT 




Tech Leads 




Paltalk group chat collection. 




Beta release. 


EXCALIBUR 


acquires a Paltalk UID and/or email address from a Screen Name. 


JTRIG Software 
Developers 91 

[Tech Lead: 


Fully 

operational 
(against current 
Paltalk version) 


FATYAK 


Public data collection from Linkedln. 




In development 


FUSEWIRE 


Provides 2477 monitoring of Vbulliten forums for target postings/online activity. Also allows 
staggered postings to be made. 


JTRIG Software 
Developers Hi 




GLASSBACK 


Technique of getting a targets IP address by pretending to be a spammer and ringing them. 
Target does not need to answer. 


JTRIG Software 
Developers 91 


Fully 

operational. 






[Tech Lead: 


Fully 

f\ n a rofri r> n o 1 
U|Jcl ctUUI ld.1 . 


GODFATHER 


Public data collection from Facebook. 








[Tech Lead: 


In Development 
(Supports 


GOODFELLA 


Generic framework for public data collection from Online Social Networks. 




RenRen and 

Xing). 


HACIENDA 


is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to 
identify IP locations. Banners and content are pulled back on certain ports. Content is put into 
the EARTHLING database, and all other scanned data is sent to GNE and is available through 
GLOBAL SURGE and Fleximart. 


NAC HACIENDA 
Taskers 9 


Fully 

operational. 


ICE 


is an advanced IP harvesting technique. 


JTRIG Software 
Developers 91 




INSPECTOR 


Tool for monitoring domain information and site availability. 


JTRIG Software 
Developers E3 


Fully 

Operational. 


LANDING 
PARTY 


Tool for auditing dissemination of VIKING PILLAGE data. 


JTRIG Software 
Developers H3 


Fully 

Operational. 



MINIATURE 
HERO 


Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and 
bidirectional instant messaging. Also contact lists. 


JTRIG Software 
Developers 13 


Fully 

operational, but 
note usage 
restrictions. 


MOUTH 


Tool for collection for downloading a user's files from Archive.org. 


JTRIG Software 
Developers 13 


Fully 

Operational. 


MUSTANG 


provides covert access to the locations of GSM cell towers. 


[Tech Lead: 
itajjjH Expert 


Fully 




Operational. 


PHOTON 


A technique to actively grab the IP address of an MSN messenger user. 




Operational, but 

usage 

restrictions. 


TORPEDO 












RESERVOIR 


Facebook application allowing collection of various information. 


JTRIG Software 
Developers 13 


Fully 

operational, but 
note operational 
restrictions. 






[Tech Lead: Jj| 




SEBACIUM 


An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are 




1 Expert 




accessible via DIRTY RAT. 


User: 






SILVER 
SPECTER 


Allows batch Nmap scanning over TOR 


JTRIG Software 
Developers 13 


In Development 


SODAWATER 


A tool for regularly downloading gmail messages and forwarding them onto CERBERUS 
mailboxes 


JTRIG Software 
Developers 13 


Fully 

Operational. 


SPRING 
BISHOP 


Find private photographs of targets on Facebook. 


Tech Lead: 




SYLVESTER 


Framework for automated interaction / alias management on online social networks. 


Tech Lead: 


In Development. 


TANNER 


A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of 
Internet Cafe's. 


JTRIG OS013 


Replaced by 
HAVOK. 


FIRE 


Mil VJIIILc LJ DC UlTl Bill Uldl LjidUb Ulc Idiyclb IVIdLNIMc lllIU, INcb, lUyb, cLL dNU [JUblb 11 UdLK LU 

GCHQ. 1 


FIRE JTRIG 13 


In Development. 


VIEWER 


A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG j 
personnel. 


[Tech L- id | 

BExpert 

■■i | 


Operational, but 
awaiting field 
trial. 


VIKING 
PILLAGE 


Distributed network for the automatic collection of encrypted/compressed data from remotely 
hosted JTRIG projects. 


PILLAGE JTRIG 
Software 
Developers 13 


Operational 


TOP HAT 


Aversion of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell 
Tower and WiFi locations targeted against particular areas. 


[Tech Lead- [Ml 


In development. 



[edit] Effects Capability 



JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further 
developed to provide weaponised capability. 

Dont treat this like a catalogue. If you dont see it here, it doesnt mean we cant build it. If you involve the JTRIG operational teams at the start of your 
operation, you have more of a chance that we will build something for you. 

For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready 
(operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early. 



Tool 



ANGRY 
PIRATE 



Description 

is a tool that will permanently disable a target's account on their computer. 



Status 

Ready to fire (but 
see target 
restrictions). 



Contacts 

[Tech Lead: 




ARSON SAM 



Ready to fire (Not 

is a tool to test the effect of certain types of PDU SMS messages on phones / network. It against live 
also includes PDU SMS Dumb Fuzz testing^. targets, this is a 

R&D Tool). 

is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR 

operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror 
BUMPERCAR+ Ready to fire, 

videos or other material. The technique employs the services provided by upload providers 

to report offensive materials. 
BOMB BAY is the capability to increase website hits/rankings. 

BADGER mass delivery of email messaging to support an Information Operations campaign 
BURLESQUE is the capability to send spoofed SMS text messages. 
CANNONBALL is the capability to send repeated text messages to a single target. 



[Tech Lead: 
Expert User:] 

JTRIG Software 
Developers (O 



In Development. 

Ready to fire. 
Ready to fire. 
Ready to fire. 



[Tech Lead:| 

JTRIG OSOIO 
JTRIG OSO lO 
JTRIG osoa 
[Tech Lead: 



CLEAN 
SWEEP 



CLUMSY 
BEEKEEPER 



Masquerade Facebook Wall Posts for individuals or entire countries 



Some work in progress to investigate IRC effects. 



Ready to fire 
(SIGINT sources Expert User: 
required) 



CHINESE 
FIRECRACKER 



Overt brute login attempts against online forums 



CONCRETE is the capability to scatter an audio message to a large number of telephones, or 
DONKEY repeatedly bomb a target number with the same message. 



NOT READY TO 
FIRE. 

Ready to fire. 
In development. 



Tech Lead 




DEER 
STALKER 



Ability to aid-geolocation of Sat Phones / GSM Phones via a silent calling to the phone. Ready to fire. 



User : 

FIRECRACKER US 



[Tech Lead: 
Expert User:! 



GATEWAY 
GAMBIT 



GESTATOR 



Ability to artificially increase traffic to a website 
Deployable pocket-sized proxy server 

amplification of a given message, normally video, on popular multimedia websites 
(Youtube). 



GLITTERBALL Online Gaming Capabilities for Sensitive Operations. Currently Second Life. 
For connecting two target phone together in a call. 



IMPERIAL 
BARGE 



PITBULL 



POISONED 
DAGGER 



Capability, under development, enabling large scale delivery of a tailored message to 
users of Instant Messaging services. 

Effects against Gigatribe. Built by ICTR, deployed by JTRIG. 



Ready to fire . JTRIG OSO US 
In-development JTRIG OSO [O 

[Tech Lead: ?; 

Expert User: 

In development. 
Tested. 




In development. 



Tech Lead: 



PREDATORS 


Targeted Denial Of Service against Web Servers. 








ROLLING 
THUNDER 


Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG. 






SCARLET 
EMPEROR 
SCRAPHEAP 
CHALLENGE 


Targeted denial of service against targets phones via call bombing. 
Perfect spoofing of emails from Blackberry targets. 


Ready to fire. 

Ready to fire, but 
see constraints. 


JTRIG Software 
Developers US 




SERPENTS 
TONGUE 


for fax message broadcasting to multiple numbers. 


In redevelopment. 


[Tech Lead:( 
jjjjSj Expert 
i- J s 5 1 : WOCtiLSUBk 




SILENT 
MOVIE 


Targeted denial of service against SSH services. 


Ready to fire. 


[Tech Lead: ■ 




SILVERBLADE 


Reporting of extremist material on DAILYMOTION. 


Ready to fire. 


[Tech J 




SILVERFOX 


List provided to industry of live extremist material files hosted on FFUs. 


Ready to fire. 


[Tech Lead:( 




SILVERLORD 


Disruption of video-based websites hosting extremist content through concerted target 
discovery and content removal. 


Ready to fire. 


[Tech Lead: J 
m^jExpert User: 




SKYSCRAPER 


Production and dissemination of multimedia via the web in the course of information 
operations. 


Ready to fire. 


[Tech Lead: Section 
X; Expert Users: 
Language Team] 




SLIPSTREAM 


Ability to inflate page views on websites 


Ready to fire. 


JTRIG OSOi3 




STEALTH 
MOOSE 


is a tool that will Disrupt target's Windows machine. Logs of how long and when the effect 
is active. 


Ready to fire (but 
see target 
restrictions). 


[Tech Lead: 
Expert User: ] 




SUNBLOCK 


Ability to deny functionality to send/receive email or view material online. 


Tested, but 
operational 
limitations. 


[Tech Lead: Section 
X; Expert UserBH 




Swamp 
donkey 


is a tool that will silently locate all predefined types of file and encrypt them on a targets 
machine. 


Ready to fire (but 
see target 
restrictions). 


[Tech Lead: 




TORNADO 
ALLEY 


is a delivery method (Excel Spreadsheet) that can silently extract and run an executable 
on a target's machine. 


Ready to fire (but 
see target 
restrictions). 


1 i a rh 1 ■ o H ' 
[1 cLI 1 Lcdll . 




UNDERPASS 


Change outcome of online polls (previously known as NUBILO) 


In development. 


[Tech Lead: Section 




VIPERS 
1 UNUUb 


is a tool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone. 


Ready to fire (but 
see target 
restrictions). i 


l"To rh 1 oari' 
[1 cLI 1 Lcdll . 

Expert User: ^^^J 




WARPATH 


Mass delivery of SMS messages to support an Information Operations campaign 


Ready to fire. 


JTRIG OSOU 





[edit] Work Flow Management 



Tool 

HOME PORTAL 

CYBER COMMAND 
CONSOLE 

NAMEJACKER 



Description Contacts 

JTRIG Software 

A central hub for all JTRIG Cerberus tools 

Developers B 

A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber JTRIG Software 
community. Developers IO 

JTRIG Software 

A web service and admin console for the translation of usernames between networks. For use with Developers [=3 
gateways and other such technologies. 



[edit] Analysis Tools 



Tool 

BABYLON 
CRYOSTAT 
ELATE 
PRIMATE 

JEDI 



Description 

is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick 
indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo, 
is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links 
between targets. 

is a suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk). These tools are 
hosted on an Internet server, and results are retreived by encrypted email. 

is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and 
metadata. 

JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production 
Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to 
customer needs. 



JILES is a JTRIG bespoke web browser 

MIDDLEMAN 
OUTWARD 



is a distributed real-time event aggregation, tip-off and tasking platform utilised by JTRIG as a middleware 
layer. 



TANGLEFOOT 



is a collection of DNS lookup, WHOIS Lookup and other network tools. 

is a bulk search tool which queries a set of online resources. This allows analysts to quickly check the 
online presence of a target. 



Contacts 

JTRIG Software 
Developers B 
JTRIG Software 
Developers Si 
JTRIG Software 
Developers B 
JTRIG Software 
Developers US 
[Tech _- ■ i | 

Expert User: 




[Tech Lead:| 

HExpert User:] 

JTRIG Software 
Developers 91 
JTRIG Software 
Developers B 
JTRIG Software 
Developers H3 



is a data index and repository that provides analysts with the ability to query data collected from the 
SLAMMER Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by analysts 
etc. 



JTRIG Software 
Developers B 



[edit] Databases 



Tool Description 

BYSTANDER is a categorisation database accessed via web service. 



CONDUIT 
NEWPIN 



is a database of C2C identifiers for Intelligence Community assets acting online, 
either under alias or in real name. 

is a database of C2C identifiers obtained from a variety of unique sources, and a 



suite of tools for exploring this data. 
QUINCY is an enterprise level suite of tools for the exploitation of seized media. 



Contacts 

JTRIG Software Developers H3 
JTRIG Software Developers B 

JTRIG Software Developers B 

[Tech L- n | ^Expert Users: 



[edit] Forensic Exploitation 



Tool 

BEARSCRAPE 
SFL 

Snoopy 



Description 

can extract WiFi connection history (MAC and timing) when supplied with a copy of the 
registry structure or run on the box. 

The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG 
as its email extraction and first-pass analysis of seized media solution. 

is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied 
as an image file extracted through FTK. 



Contacts 

[Tech Lead 
User:] 
[Tech Lead 



[Tech Lead 



Expert 




is a tool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY, 
MobileHoover Snoopy and USIM detective. These reports are transposed into a Newpin XML format to 
upload to Newpin. 


[Tech Lead: 






Nevjs is a tool developed by NTAC to search disk images for signs of possible Encryption 
products. CMA have further developed this tool to look for signs of Steganography. 


[Tech Lead: 





[edit] Techniques 



Tool Description 

CHANGELING Ability to spoof any email address and send email under that identity 
HAVOK Real-time website cloning technique allowing on-the-fly alterations 
MIRAGE 

SHADOWCAT End-toEnd encrypted access to a VPS over SSH using the TOR network 


Contacts 

J 1 Klo UbU U 

JTRIG osoia 

JTRIG OSOHJ 

jtrig osoa 


SPACE 
ROCKET 


is a programme covering insertion of media into target networks. CRINKLE CUT is a tool developed by ICTR- - 
CISA to enable JTRIG track images as part of SPACE ROCKET. ' 


Tech — 1 HH 

1 Expert 

User: 


RANA 


is a system developed by ICTR-CISA providing CAPTCHA-solving via a web service on CERBERUS. This is 
intended for use by BUMPERCAR+ and possibly in future by SHORTFALL but anyone is welcome to use it. | 


Tech | 

^ ■ ; ■ rt Us« 


LUMP 


A system that finds the avatar name from a SecondLife AgentID 


JTRIG Software 
Developers [13 


GURKHAS 
SWORD 


Beaconed Microsoft Office Documents to elicite a targets IP address. 


JTRIG Software 
Developers E3 



[edit] Shaping and Honeypots 



Tool 


Description 


Contacts 


DEADPOOL 


URL shortening service 


JTRIG OSOE3 


HUSK 


Secure one-to-one web based dead-drop messaging platform 


JTRIG OSOtO 


LONGSHOT 


File-upload and sharing website 


JTRIG OSOi3 


MOLTEN-MAGMA 


CGI HTTP Proxy with ability to log all traffic and perform HTTPS Man in the Middle. 


JTRIG Software Developers [13 


NIGHTCRAWLER 


Public online group against dodgy websites 


JTRIG OSOE3 


PISTRIX 


Image hosting and sharing website 


JTRIG OSOH3 


WURLITZER 


Distribute a file to multiple file hosting websites. 



JTRIG Logo.png 
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